SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #29

April 11, 2014

TOP OF THE NEWS

Patch Available for Heartbleed Flawx
Governments Take Steps to Address Heartbleed
Heartbleed Affects More Than Websites

THE REST OF THE WEEK'S NEWS

Report Says Most UK Police Forces Not Equipped to Handle Cyber Crime
Threat Info Sharing Does Not Violate Antitrust Laws
Health Sector Cyber Security Drill
Google Android Update Will Improve App Security
BlackBerry OS 10 Update
Second Univ. of Maryland Intrusion the Work of Frustrated Software Engineer
In-Flight Wi-Fi Provider Gogo Goes Above and Beyond CALEA
Man Involved in Carder Forum Pleads Guilty to Racketeering Charges
DelTek Breach Exposes 80,000 Contractor Employees' Data
Orbit Open Ad Server Fixes SQL Injection Vulnerability
Microsoft and Adobe Release Security Updates
Judge Denies Wyndham Motion to Dismiss FTC Suit

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*************************** Sponsored By Bit9 ****************************
XP End of Life is here - there are NO MORE security updates and your systems are now experiencing critical patches. How will you protect your organization? Keep your XP systems compliant and secure - without upgrading or paying for out-of-band support! Positive security is the best compensating control. Download the eBook: http://www.sans.org/info/157105
**************************************************************************
TRAINING UPDATE

-- Security Leadership Summit, April 30th and May 1st, in Boston. CISOs and leading SANS experts discuss key security topics and emerging trends. Bonus: choose from four classes (May 2nd - 6th) including Security Leadership, Implementing the Critical Security Controls, ICS/SCADA Security Essentials, and Security Bootcamp.
http://www.sans.org/info/154465


-- SANS 2014 Orlando, FL April 5-14, 2014 42 courses. Bonus evening presentations include Effective Phishing that Employees Like; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/sans-2014


-- SANS Security West San Diego, CA May 8-17, 2014 30 courses. Keynote sessions: Emerging Security Trends: Crossing the Chasm to Protecting a "Choose Your Own IT" World; and Will the Real Next Generation Security Please Stand Up?
http://www.sans.org/event/sans-security-west-2014


-- SANS Rocky Mountain 2014 Denver, CO June 9-14, 2014 8 courses. Bonus evening presentations include Continuous Ownage; Why You Need Continuous Monitoring; and APT: It is Time to Act.
http://www.sans.org/event/rocky-mountain-2014


--SANS Secure Europe 2014 Amsterdam, Netherlands May 10-24, 2014 11 courses.
http://www.sans.org/event/secure-europe-2014


--SANS Pen Test Berlin Berlin, Germany June 15-21, 2014 6 courses.
http://www.sans.org/event/pentest-berlin-2014


--Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Austin, Malaysia, London, and Bangkok all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Patch Available for Heartbleed Flaw (April 10, 2014)

OpenSSL has released a patch for a critical flaw in its implementation of the Transport Security Layer protocol's "heartbeat" extension that threatens the security of passwords, source code, and encryption keys. The protocol is widely used across the Internet.
-http://www.darkreading.com/vulnerabilities---threats/emergency-ssl-tls-patching-
under-way/d/d-id/1204282?
- From Internet Storm Center: List of vendor statements/patches for OpenSSL:
-https://isc.sans.edu/forums/diary/Heartbleed+vendor+notifications/17929
[Editor's Note (Murray): This flaw is so far down in the stack that most enterprises must look to their vendors to know whether or not they are vulnerable. This link may help some:
-http://www.mnemonic.no/en/Andre-sprak/English/Blog/Status-on-products-versus-Ope
nSSL-vulnerabilityCVE-2014-0160/]

Governments Take Steps to Address Heartbleed (April 10, 2014)

Government agencies in the US and Canada are taking steps to help protect people from the risks of the Heartbleed OpenSSL vulnerability. The Canada Revenue Agency has temporarily shut down public access to online services, meaning that citizens cannot file taxes on line. The US Internal Revenue Service (IRS) will continue to accept online returns as Heartbleed does not affect their systems. The US FDIC has issued a press release exhorting financial institutions to take steps to protect their systems. Gartner fraud analyst Avivah Litan pointed out that the vulnerability affects more than just websites: "most trusted machine to machine communications. The bug affects routers, switches, operating systems, and other applications ..."
-http://www.govinfosecurity.com/heartbleed-gov-agencies-respond-a-6737/op-1
-http://www.computerworld.com/s/article/9247563/Canada_halts_online_tax_returns_i
n_wake_of_Heartbleed?taxonomyId=17

Heartbleed Affects More Than Websites (April 10, 2014)

The Heartbleed vulnerability affects client side OpenSSL installations as well.
-http://www.theregister.co.uk/2014/04/10/many_clientside_vulns_in_heartbleed_says
_sans/
(April 11, 2014) It also affects routers.
-http://www.bloomberg.com/news/2014-04-10/heartbleed-found-in-cisco-juniper-netwo
rking-products.html

---

************************** Sponsored Links: ******************************
1) Not Your Father's IPS: SANS Survey on Network Security Results Read the results of the SANS Network Survey to understand how contemporaries are using IPS and how NGIPS is evolving to counter today's cyber threat. http://www.sans.org/info/157110

2) Losing the Fight on APTs? Tony Sager Explains Where We're At With Threat Detection Automation, Wednesday April 30 at 3 PM EDT. http://www.sans.org/info/157115

3) Plan to attend the SANS Security Leadership Summit, April 30th and May 1st, in Boston. The format will partner CISOs with leading SANS experts across a broad range of key security topics and emerging trends. Choose from four classes that take place afterwards (May 2nd - 6th) including ICS/SCADA Security Essentials, Security Leadership, Implementing the Critical Security Controls and Security Bootcamp. http://www.sans.org/info/154465
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Report Says Most UK Police Forces Not Equipped to Handle Cyber Crime (April 10, 2014)

According to a report from Her Majesty's Inspectorate of Constabulary (HMIC), just three of 43 police forces in England and Wales "have developed comprehensive cyber crime strategies." The report also shows that just two percent of police officers have been trained to investigate cyber crime, and only 15 police forces "had considered cybercrime threats in their STRAs (strategic threat and risk assessments)."
-http://www.v3.co.uk/v3-uk/news/2339161/only-three-of-43-police-forces-able-to-ta
ckle-cybercrime-challenges
HMIC Strategic Policing Requirement Report:
-http://www.hmic.gov.uk/wp-content/uploads/2014/04/an-inspection-of-the-arrangeme
nts-that-police-forces-have-in-place-to-meet-the-strategic-policing-requirement.
pdf
[Editor's Note (Henry): This is an issue that is playing out in law enforcement agencies both in the United States and around the world. The UK actually has some very capable investigators in the NCA at the federal level, though local agencies worldwide will continue to struggle with lack of adequate capabilities, resources, and access to relevant information. ]

Threat Info Sharing Does Not Violate Antitrust Laws (April 10, 2014)

The US Justice Department (DOJ) and the Federal Trade Commission (FTC) have issued a joint policy statement clarifying that companies are allowed to share cyber threat information with each other without violating antitrust laws. The rules allow companies to share incident reports, digital fingerprints that identify malware, and attackers' IP addresses. Joint Policy Statement:
-http://www.justice.gov/atr/public/guidelines/305027.pdf
-http://www.nextgov.com/cybersecurity/2014/04/us-promises-not-sue-companies-discu
ssing-hacks/82321/?oref=ng-HPriver
-http://www.washingtonpost.com/blogs/the-switch/wp/2014/04/10/washington-is-makin
g-it-easier-for-businesses-to-swap-notes-on-hackers/
-http://thehill.com/blogs/hillicon-valley/technology/203229-feds-companies-can-sh
are-info-to-prevent-hackss
-http://www.businessweek.com/news/2014-04-10/cyber-info-sharing-by-firms-doesn-t-
violate-antitrust-laws-1
-http://www.computerworld.com/s/article/9247587/Feds_okay_with_cyberthreat_info_s
haring_say_its_not_an_antitrust_violation?taxonomyId=17
[Editor's Note (Pescatore): I think I pointed out last month that the FTC and DoJ have long had "Competitor Collaboration" guidelines out, and there are no real legal obstacles to businesses sharing threat information with each other, and it happens routinely in many, if not most, industries. The real concern with most corporate legal counsels is sharing that information with the government - which can open up potential paths for exposure and liability that aren't covered under existing guidelines or addressed in this latest policy statement. However, there are some legal counsels that have prohibited such sharing (see health sector item) - CISOs at those companies can use this policy statement to overcome those objections.
(Northcutt): I read the statement and it seems to make sense, but highly recommend this goes through corporate council and the output is a pragmatic set of rules of engagement. ]

Health Sector Cyber Security Drill (April 10, 2014)

On April 1, the US Department of Health and Human Services (HHS) conducted a cyber security drill for 13 participating companies in the healthcare sector. HHS CISO Kevin Charest noted the medical world shows a "resistance to information security best practices," citing physicians' resistance to two factor authentication as an example." One challenge within the industry that became clear is a reluctance to share threat and incident information because of liability issues. The drill also indicated places where some organizations need to improve their "basic blocking and tackling," such as knowing who to call during an incident. A second drill with more participants is scheduled for this summer.
-http://www.govinfosecurity.com/hhs-ciso-on-healthcare-cybersecurity-a-6733/op-1
[Editor's Note (Pescatore): SANS is working with the National Health ISAC to address many of these issues at the second SANS Health Care Security Summit later this year. Last year's event showed many CISOs in health care see resistance to basic security hygiene by medical appliance and medical software vendors to be at least as high as the resistance by physicians.
(Henry): It's a positive step to see continued exercising within the federal ranks. The Healthcare sector is behind others in their understanding of the risk and threat. I think exercising and working within the industry vertical will help to promote trusted relationship and foster much better actionable intelligence dissemination and sharing. ]

Google Android Update Will Improve App Security (April 10, 2014)

Google's Android team will release an upgrade that includes a feature to constantly monitor devices to ensure that apps are secure, even after they have been installed. Android has made headlines recently for several app security issues.
-http://www.zdnet.com/google-gives-android-apps-a-security-booster-shot-700002830
3/
[Editor's Note (Ullrich): It is great to see Google improving Android security. However, these changes will not matter if end users will never receive these updates from handset vendors and carriers. ]

BlackBerry OS 10 Update (April 9 & 10, 2014)

BlackBerry has issued a security update for BlackBerry 10 to address a remote code execution vulnerability. The issue affects the qconnDoor service, which allows developers to access the devices when users have enabled the development mode. The flaw can be exploited over Wi-Fi or with a USB.
-http://www.computerworld.com/s/article/9247575/BlackBerry_10_OS_update_fixes_rem
ote_code_execution_flaw?taxonomyId=17
-http://www.scmagazine.com/blackberry-issues-update-for-remote-code-execution-vul
nerability/article/342007/

Second Univ. of Maryland Intrusion the Work of Frustrated Software Engineer (April 9 & 10, 2014)

The most recent cyber intrusion at the University of Maryland was the work of a software engineer who knew about the flaw that was later exploited in the earlier, larger intrusion. David Helkowski had warned his co-workers and his boss, but no one took action. The more recent intrusion occurred on March 15 and involved the exposure of personal data of UMD President Wallace Loh. Helkowski lost his job at the Canton Group, a Baltimore-based consulting group, which was contracted by UMD.
-http://www.scmagazine.com/latest-umd-intrusion-linked-to-it-worker-exposing-secu
rity-issues-account-shows/article/342202/
-http://arstechnica.com/tech-policy/2014/04/whitehat-hacker-goes-too-far-gets-rai
ded-by-fbi-tells-all/

In-Flight Wi-Fi Provider Gogo Goes Above and Beyond CALEA (April 9 & 10, 2014)

In-flight wi-fi provider Gogo apparently exceeds baseline requirements regarding sharing user data with the US law enforcement. All providers of in-flight wi-fi must comply with wiretap requirements as set forth in the Communications Assistance for Law Enforcement Act (CALEA), but "Gogo worked closely with law enforcement to incorporate functionalities and protections that would serve public safety and national security interests," according to a July 2012 letter from GoGo to the Federal Communications Commission (FCC). Panasonic Avionics, another in-flight wi-fi provider, made a similar arrangement.
-http://arstechnica.com/tech-policy/2014/04/at-feds-request-gogo-in-flight-wi-fi-
service-added-more-spying-capabilities/
-http://www.wired.com/2014/04/gogo-collaboration-feds/
Gogo's letter to FCC:
-http://www.wired.com/wp-content/uploads/2014/04/Gogo-Letter-to-FCC.pdf

Man Involved in Carder Forum Pleads Guilty to Racketeering Charges (April 9 &10, 2014)

Cameron Harrison has pleaded guilty to federal racketeering charges for his role in a payment card fraud scheme. Harrison was part of a group that operated the Cardersu website, which is believed to be responsible for US $50 million in losses due to fraudulent transactions. The group was broken up in 2012; so far, 55 people have been charged. The ring leaders, who ran the organization from Russia, remain at large. The case against Harrison is one of the first in which prosecutors have used racketeering charges against cyber crimes.
-http://www.bbc.com/news/technology-26972284
-http://arstechnica.com/tech-policy/2014/04/man-behind-carder-su-racketeering-oth
er-cybercrime-pleading-guilty/
Harrison's plea document:
-http://cdn.arstechnica.net/wp-content/uploads/2014/04/kilobitguiltyplea1.pdf

DelTek Breach Exposes 80,000 Contractor Employees' Data (April 9, 2014)

A breach of the GovWin IQ system at Deltek compromised the sensitive information of 80,000 federal contractor employees. The incident was discovered on March 13. The attacker gained access to GovWin IQ usernames and passwords. Some payment card information was compromised as well. A suspect has been arrested.
-http://www.federalnewsradio.com/241/3599420/Deltek-suffers-cyber-attack-putting-
80000-employees-of-vendors-at-risk-
-http://www.nextgov.com/cybersecurity/2014/04/80000-employees-federal-contractors
-compromised-cyberattack/82222/?oref=ng-channeltopstory

Orbit Open Ad Server Fixes SQL Injection Vulnerability (April 9, 2014)

Orbit Open Ad Server has fixed an SQL injection vulnerability that placed website visitors in danger of having their data stolen. The ad platform's vendor was alerted to the problem last month and fixed it on March 21.
-http://www.scmagazine.com/popular-ad-server-patches-sql-injection-flaw-impacting
-platform/article/342000/

Microsoft and Adobe Release Security Updates (April 8 & 9, 2014)

On Tuesday, April 8, Microsoft released four security bulletins to address a total of 11 flaws in Windows, Internet Explorer (IE), Microsoft Office, and Microsoft Publisher. Two of the bulletins are rated critical; one addresses flaws in IE, and the other fixes a pair of flaws in Microsoft Office. This update marks the end of Microsoft's support for the Windows XP operating system as well as for Office 2003. Adobe has issued security updates to address four critical remote code execution flaws in Flash Player and Air.
-http://www.theregister.co.uk/2014/04/08/office_ie_and_flash_fixes_accompany_fina
l_xp_patch_tuesday/
-http://www.computerworld.com/s/article/9247525/Microsoft_Patch_Tuesday_bids_adie
u_to_Windows_XP?taxonomyId=17
-http://www.scmagazine.com/microsoft-releases-final-fixes-for-windows-xp-office-2
003/article/341850/
-http://krebsonsecurity.com/2014/04/adobe-microsoft-push-critical-fixes/
-http://technet.microsoft.com/en-us/security/bulletin/ms14-apr
-http://www.computerworld.com/s/article/9247548/Adobe_patches_critical_flaws_in_F
lash_Player_and_AIR?taxonomyId=17

Judge Denies Wyndham Motion to Dismiss FTC Suit (April 8, 2014)

A US District Court judge has dismissed Wyndham Hotels request to dismiss an FTC lawsuit, supporting the Federal Trade Commission's (FTC's) authority to sue companies that do not adequately protect customer data. That power was being challenged by Wyndham, which maintained that the FTC was overreaching its authority when it filed a lawsuit against the hotel chain for failing to safeguard customer information. The FTC maintains it has the authority to sue companies to inadequate customer data protection because Congress granted it the power enforce "unfair" business practices. The FTC's original lawsuit alleged that Wyndham had failed to employ even basic security measures, like firewalls and separating networks. Due to the lack of security, thieves accessed Wyndham's system though a network in a hotel in Phoenix and stole 500,000 payment card numbers. Wyndham maintained that inadequate data protection does not fall under the heading of unfair business practices.
-http://www.scmagazine.com/judge-denies-wyndham-motion-challenging-ftc-authority/
article/341862/
-http://www.nextgov.com/cybersecurity/2014/04/court-upholds-ftcs-power-sue-hacked
-companies/82084/?oref=ng-channelriver
Denial of Motion to Dismiss:
-http://media.scmagazine.com/documents/67/ftc-wyndham_opinion_16575.pdf
[Editor's Note (Pescatore): This is the third recent ruling that validated the FTC's authority in this area. Part of the FTC definition of "unfair business practices" are those that cause unjustified injury to consumers that they could not avoid on their own - having your identity stolen via sloppy security practices seems to fit that definition pretty well. This is also an areas where focusing on the Critical Security Controls to prioritize remediation would easily avoid such FTC actions. ]

---

STORM CENTER TECH CORNER

Heartbleed Spam
-https://isc.sans.edu/forums/diary/Brace+Yourselves+and+your+Users+Clients+for+He
artbleed+SPAM/17939

Fastmail DNS Hijack Attempt
-http://blog.fastmail.fm/2014/04/10/when-two-factor-authentication-is-not-enough/

OpenSSL Heartbleed Updates
-https://isc.sans.edu/forums/diary/Heartbleed+vendor+notifications/17929
-https://www.sans.org/webcasts/openssl-heartbleed-vulnerability-98105

Microsoft Patch for Mac version of Office
-http://technet.microsoft.com/en-us/security/advisory/2953095

Wordpress Security Update
-http://wordpress.org/news/2014/04/wordpress-3-8-2/

WSUS Problem with Windows 8.1 Patch
-http://blogs.technet.com/b/wsus/archive/2014/04/08/windows-8-1-update-prevents-i
nteraction-with-wsus-3-2-over-ssl.aspx

Chrome no longer supports autocomplete=off setting
-https://groups.google.com/a/chromium.org/forum/#!msg/chromium-dev/zhhj7hCip5c/Px
btDtGbkV0J

OpenSSL Heartbleed Update
-https://isc.sans.edu/forums/diary/+Patch+Now+OpenSSL+Heartbleed+Vulnerability/17
921

Microsoft Patch Tuesday
-http://technet.microsoft.com/en-us/security/bulletin/ms14-apr

Adobe Patch Tuesday
-http://helpx.adobe.com/security/products/flash-player/apsb14-09.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/